We've (re)discovered an interesting new run of Facebook CPA survey spam.

It uses this subject line: This girl killed herself after her dad posted a secret of her on her fb wall.

The spammer used this template two weeks ago and it then linked to a webpage hosted at thedominio.info.

Today, the spam links to apps.facebook.com. Directly to a Facebook app, very interesting…

It's been quite some time since we've seen a direct link to an app. In their constant cat and mouse battle with Facebook, spammers have long been forced to use short URL services and other redirection tricks.

Let's see what's new.

The spam uses the same image, subject and description, but links to an app. This benefits the spammer in two ways. First, it reduces his overhead because he needs to maintain fewer external resources. Secondly, reputation services such as Web of Trust rate apps.facebook.com as safe, so there are likely to be fewer warnings about the link.

But there's not much to see from those apps. If the Facebook user clicks on the link, the application will immediately redirect them to url-linkay.tk where this "video player" is displayed (thedominio.info now redirects to url-linkay.tk.).

This part is a typical clickjacking using a transparent frame to hide the Facebook like plugin button.

Clicking on the play button "likes" the page and spreads it to your Facebook News Feed.

Firefox users with NoScript installed will get this ClearClick Warning dialog which shows the contents of the transparent frame.

Users without some sort of clickjacking protection will be redirected back to Facebook, to another app page.

Complete malware analysis is often limited by real-world circumstances.

Many of the trojans that we analyze will attempt to connect to a remote server for further instructions. At this point, we know that the software is not legitimate and should be blocked from installation on our customer's computers. We don't really need to examine it any further (and often times, the server is offline). But just what would that trojan do if it only had access to its remote master?

We use automation to test malware in an isolated network. We don't generally test malware with a real Internet connection because we want to limit possible exposure to the rest of the world's netizens. But every now and then something catches our interest and we'll perform a manual test.

There was a recent report of a malicious Android package installation being hosted on a fake "Android Market"-lookalike site, which was pushed to users from an advertisement link.

The distribution strategy itself is not new. We saw variations of this happening with Google advertisements 2 years back, though in that case it was rogue or scareware that was being pushed by the advertisements.

What is interesting about the case is: Android application repackaging. We've seen this tactic being used quite frequently in the last few months, as it seems to be the favored "quick" way for malware authors to produce new Android malware.

What's also interesting is that this seems to be a popular way for developers to produce "new", clean applications. We've been seeing a rash of repackaged applications posted on the official Android Market. (Android apps are written in Java, and so they have a very low threshold for cloning, there are no real barriers to reverse engineer them.)

One example we saw recently is shown below, with the original app on the left and the repackaged app on the right:

The repackaged application has the same modules as the original, but includes an advertisement module. In some cases, there were no technical changes from the original application at all — just a change in the app name, of course.

Most of the repackaged apps we've seen are "clean" in that they don't have any malicious code included in them. So far, we also haven't seen any instances of the repackaged apps being distributed as paid apps.

Presumably, the point of the repackaging is to include the advertisement module, with the developers gaining some kind of monetary reward when users view or click through the ads being displayed.

However, since the repackaging was most likely done without the consent of the original developer(s), the repackaged app would probably be considered pirated, or at least intellectual property theft to the original developer.

This is still something of a grey area though, especially as Google doesn't actively vet every application posted on the Android Market. Whether most developers — and users — are going to consider these repackaged apps as just another side-effect of an "open market" philosophy, or conversely as rip-offs of a developer's honest efforts, is anybody's guess.

This trojan is in the wild, but is not highly prevalent. Our antivirus blocked it based on behavioral heuristics even before we added a signature detection.

Additional analysis from our Threat Research team tells us that the trojan attempts to connect to fatgirlsloveme.com (Whois). The site/server was not online two days ago, but its proxy now appears to be active (hosted in Germany).

For those of you that don't use Twitter because you don't do social networking (it's really social media), but that want to be alerted to breaking stories, here's an RSS feed that you can use to "follow" Mikko Hypponen:

Richard O'Dwyer was in the news this weekend. He's a 23-year-old from the UK that is facing extradition to the USA over tvshack.net, a website which was seized by the US government due to claims of copyright infringement.

Now, all this paints a very different picture than that of the "geeky boy sitting in his room with his computer". (Is it all just a defense strategy?) Perhaps his mother's view is truly one side of Richard O'Dwyer. And perhaps O'Dwyer really is in fact a student. But clearly there's another side to Richard, racing car enthusiast and businessman, and it's a side that somebody is now trying to erase.

And that's easier said then done in the age of Social Media.

Remember folks, if you put it online, it tends to stay online in one form or another (up to seven years).

Setting aside the legal questions, we look forward to seeing how Richard's digital persona evolves as his lawyer fights extradition.

But that's not the real point. This is a snatch and grab. Before the window is rendered, the application will fetch the Bitcoin wallet.dat file (if it exists) from this location:

%Documents and Settings%\\AppData\Roaming\Bitcoin\wallet.dat

Coinbit.A then attempts to send the wallet.dat to a @hotmail address via a Polish SMTP server. The .pl server address is hardcoded. Reportedly, the password of the server account has been changed so this variant is no longer effective.

Performing a search for the hardcoded @hotmail recipient e-mail address leads one to this thread at bitcoin.org's forum.

It appears the pickpocket posted links in the forum's chat application. If the forum members clicked the link and downloaded the trojan, they risked losing their wallets.

To quote a forum member:

"No doubt that sucker is going straight for your wallet.dat""People will loose coins from this!"

He had done a Google News search, looking for latest press coverage on F-Secure and had found something odd.

I was not familiar with this news source, so I checked their front page.

And there it was. A fabricated article claiming that I and fellow security researcher Brian Krebs were arrested for selling stolen credit cards. As a sidenote, the article also mentioned that we were lovers. Now, let me make it clear: Neither of these claims are true. I like Brian, but not like that.

Here's the fake article:

So, I called Brian up. He had already seen the article and had a pretty good idea who had done it, too. We have no idea how it ended up on fraud-news.com though.

Of course, fake news like this travel fast.

So let me just state it for the record that I'm not arrested and I have not been involved in selling stolen credit cards…

—————

No, I was not indicted either. Thanks for asking.

Signing off,Mikko

P.S. The fake article is a modified version of a real article written by Brian in 2007. The fake screenshot is based on a posting on a real crime forum at omerta.cc/showthread.php?t=1474

—————

Updated to add: Administration of fraud-news.com contacted. Here's what they wrote:

From: info@fraud-news.com

Hi Mikko

Thanks!. When I checked the site today I was shocked to see what appearedto be a fake story posted by someone who has hacked into the site. I thenchecked on net and then saw your email, which confirmed that someone has"hacked" in to post this news item.

I have now regained access to the system. I have quickly edited the newsitem but kept the headline while replacing contents with my notes. That isjust to make sure that any visitor who follows the title from another siteor Google news is able to see that it was a fake entry. Removing thearticle altogether may result in a broken link which may leave somereaders guessing. Hope that is fine with you. I hope to make another postto explain this further.

I took over this site - fraud-news.com was initially a community basedsite - somewhere last year, and as at now the only way the news can bepublished (which is picked up by Google news) is by making a forum postand then upgrading it as an article. The forum runs on vBulletin latestsuite (Blog + Forum). I am trying to check into the logs and othersettings to see how someone was able to use the username 'FraudNews' whichI had the exclusive access as the super admin, or made the post throughanother alternative mechanism through loopholes in vBulletin, if any. Ihave also turned off the forum while we ensure the security of the site.

Strangely, fraud-news.com has recently come under attack as well, and inApril/May we were under a DDOS, at which time we temporarily moved thesite to DDOS protected hosting. The repeated attacks made publishingarticles harder. The site is popular due to the forum which pulls all thescam/fraud related news and alerts. Since we tend to give all scam alerts,we may have ended up a target. However this is the first time someone"hacked" to make an unauthorised post, looking to make use of our site totarget your entity/reputation. I will be monitoring the fraud-news.comclosely to ensure that the culprit doesn't make another attempt.

Finally, many apologies for the inconvenience this has caused to allconcerned.Arun Arunagiri

The US Attorney's office has today frozen a Swiss bank account belonging to Sam Shaileshkumar.

Mr. Shaileskumar, together with Björn Sundin were the main figures behind Innovative Marketing Ukraine, a malware house that was operating from Ukraine. Neither Shaileshkumar or Sundin were nationals of Ukraine themselves. Shaileshkumar holds a US passport while Sundin is Swedish.

The amount of money in the frozen account? A cool $14,800,000. This is believed to be only part of the proceeds IMU did while using malware to push out rogue security products such as "Systemdoctor".

As usual, these products did nothing useful. They found "problems" from any computer and would only "fix" them after you purchased a license.

The authorities have been after Sundin and Shaileshkumar for quite a while. Both are still on the run.

Facesnoop 2 was released sometime recently and claims to have "ACTUAL video proof" that it works.

(ACTUAL must be better than actual.)

The video depicts the "hacking" of an account belonging to a young woman named Kristen.

We think Kristen is just a sockpuppet account, so we've blurred the profile picture.

Once you've watched the Facesnoop video, and decide to download, you're directed to a webpage at ShareCash.Org which prompts you to fill out Cost Per Action (CPA) affiliate marketing surveys. (Offers from many of the usual CPA suspects. This is how Facesnoop monetizes his software.)

There's a problem though.

This is what happens when you launch Facesnoop 2:

You get an "Unhandled Access Violation" exception that claims there is a "Net Framework 2.0 missing library". Most people probably click on the "Check For Updates" button at this point, and that opens a webpage requesting even more CPA surveys to be filled out.

Facesnoop's Facebook page has several complaints about this.

(Seriously, who complains about a Facebook hack-tool failing to work on a Facebook Page???)

The Facesnoop author has created a newer page, and it opens to the Info tab to avoid visible complaints.

All of the people complaining about the error shouldn't really be surprised though…

Examining the properties of the executable shows that it was designed to fail.

Look: the Internal Name of the file is "Facesnoop 2 error.exe".

This isn't a hack-tool — it's a fraud-tool.

You can see more details in the executable's code:

(SHA-1: 2862de8e506414589b923f8faa49bf8fc81238e2)

E:\Nicolas\Code\fn2 error\Facesnoop 2 error\…

Nicolas? Hmm, where have we seen that name before?

Oh yes, the first video's sockpuppet "victim" was called Hayley.

And the Hayley account has a friend named Nicolas.

And the Nicolas account just happens to "like" Facesnoop. Is it the hack-tool author himself?

We don't know for sure.

All we do know, whomever Nicolas is really… he thinks you're a sucker.

When opened, the PDF (md5: 20ecffdc2ecea0fbe113502bec0c938c) uses a known Adobe Reader exploit to drop a backdoor to the system. While dropping the backdoor, it displays this PDF on-screen to fool the user into believing everything is okay.

The bait PDF talks about an Information Systems Security Association event in Alabama on the 9th of June, 2011. Which is today.

The backdoor connects to a server at 119.202.148.82, which is somewhere in South Korea.

While some folks were distracted by the Mac scareware component, it appeared to us as only the secondary factor in the overall attack. The Windows component, a fake "Adobe Flash Player" update, has ZeuS bot characteristics according to an analyst on our Threat Solutions team. We therefore conclude that the attack was focused on building a Windows OS botnet, and that the Mac OS scareware was tacked on as a bonus (as there are no ZeuS binaries to push at Mac users).

Facebook took more than 24 hours to block malicious links redirecting to newtubes.in: a domain using an Indian TLD, hosted on a Lithuanian server, and registered to "Narcisa Scott" of Thailand.

In the end, all links used by the attack were deleted by Facebook.

And we had hoped last week that Facebook killed whatever spam/attack vector was being used.

But that hope was in vain.

The same bad guys are now spamming links to porn sites via Facebook profiles:

You can see profiles posting the links via an Openbook search for "Free Tube Hub".

The sites, which have names such as blackbootyblog.com, ebonyarea.com, justebonypussy.com and ebonykey.com, all have a common theme…

That's because many of them are hosted on the same server:

The website server appears to be compromised and a folder called /watch/ has been inserted that contains script which attempts to redirect users to borntobefree.in: a domain using an Indian TLD, is hosted on a Lithuanian server, and is registered to "Andrew Farrell" in Thailand.

Sounds familiar.

So… the porn site server is a smokescreen to hide the real attack site, borntobefree.in.

Neat trick.

As was the case in last week's malware attack, too many visits from the same IP address will result in a redirection to youtube.com. Also, the attack server is Geo-IP aware and focuses on users from the USA and UK.

We currently see no evidence that these links are being spread "virally" via Facebook Platform. Instead, they appear to be posted directly to profiles via bots.

If true, Facebook has a problem. To block these types of attacks, they'll need to suspend the profiles of infected users. But how to inform the user as to which computer is infected?

As we said last week, this is a highly professional attack using well developed techniques.

And it looks to us as if it could be here to stay for a while.

—————

Updated to add on June 9th: Bots continue to spam Facebook with porn based links, and Facebook continues to fail at blocking them (72+ hours and counting).

The links are not redirecting to malware at this time, based on our analysis. Instead, they are currently redirecting to two additional porn sites, one of which we saw last week when these links were pushing fake Flash Players and Mac scareware.

The spammed links use very consistent text, so it's quite surprising that Facebook doesn't have some sort of automation to block accounts from posting the links.

The structure is as follows: there's a porn site, hosted on a common server (see above) and it contains a folder called "/watch/". That folder contains a page with script to pull content from another location:

In this case, greatfeel.in, another Lithuanian server with an Indian TLD.

And no big surprise, greatfeel.in is also registered to "Andrew Farrell" in Thailand.

Another Android malware utilizing the root exploit "Rage Against The Cage" has been found. We were able to find a sample ourselves, and we now detect it as Trojan:Android/DroidKungFu.A.

This new malware was embedded on a trojanized application that may require a root access in order to conceal itself. The infection occurs in two parts:

Infection: Part 1

The first part is the installation of a trojanized application that would gain root privilege and install the com.google.ssearch application. This application points to the Trojan:Android/DroidKungFu.A's service component that will start a service com.google.ssearch.Receiver. On the creation of this service, it will call the function getPermission() that will install an embedded APK.

This will call for checkPermission() that will check if com.google.ssearch.apk already exists. If not, it will install the "legacy" file, which is an APK file, to the "system/app" (the application folder).

Infection: Part 2

The second part deals with the main malware component, com.google.ssearch.apk. As we may recall, this component was also present in the trojanized application.

Here is a screenshot showing the com.google.ssearch.apk installed.

The malware appears to have a backdoor functionality. Here are some of its capabilities that we have seen:

Root is set to 1 as to signify with root, and these information are then sent to "http://search.gong[...].php."

The malware obtains the commands from "http://search.gong[...].php" by posting in the "imei," "managerid" and root value. It also reports the status of the commands on "http://search.gong[...].php" by posting in "imei," "taskid," "state" and "comment."

Threat Solutions post by — Zimry

—————

Updated to clarify: The original discovery of the trojan was by a research team at North Carolina State University. We were able to independently find a sample for our own analysis.

An article in the Washington Post reports that members of British intelligence vandalized an issue of the Inspire magazine. Inspire is the English-language lifestyle magazine of Al-Qaeda, published online in PDF format. They have published five issues so far.

When the first issue was published last year, most jihadists ended up downloading a corrupted version instead of the real deal. The corrupted version was manufactured and spread by British intelligence.

Here's what the corruption looked like.

Below, the cover of Inspire #1. On left, the real version, on right, the corrupted version. There's no visible difference.

Table of contents. No visible difference.

Page 4. Suddenly, the contents of the doctored version turn into binary garbage:

This continues throughout the magazine. Here's page 41:

The binary garbage that replaced the extremist content seems to be random bytes. In reality it's a raw dump of a file with cupcake recipes, pasted to overwrite the original content.

When we analyzed the corrupted version, we thought it would be plausible that it would contain malware or exploits. However, it did not.

Mac malware has been making lots of news recently, and much of the analysis has focused on Mac's market share, which in the USA, is around 15%. But market share is only a single data point. Is that the whole story?

Ever since we got wind of a variant of an AdSMS trojan with more aggressive functionalities making the rounds in various online forums, we've been on the lookout for more samples to analyze.

It hasn't been easy — there was a report of "more than 20 Android apps" being identified, but most of them seem to have been pulled out of circulation already. A lot of heavy forum trawling was required, which is a good thing for most users — it's not easy to get this trojan.

Analysis is still ongoing, but here are a few snippets based on the samples we have:

As before, the malware is a trojanized version of a legitimate app. For this sample, it was a paper toss game. For a simple game though, the permissions it requests are suspicious:

An alert user should be suspicious when a game says it needs to send SMS messages and read your personal information.

Once installed, the trojan is designed to prompt the user to "update" the program to a new version, with a "lightning update in 1 second" (?):

Once updated, the device is restarted and the malware is successfully installed under "com.android.battery", though it lists itself as appsms.apk in the application folder.

The trojan contains a known exploit, rageagainstthecage, for gaining root access and will run four malicious classes as services in the background: Adsms.Service, SystemPlus, MainRun and ForAlarm.

Other functionalities appear to be as reported, though we'll be continuing analysis — and hunting for more samples. We will be detecting this as Trojan:AndroidOS/AdSMS.B.

Contrary to our earlier post, rather than using the "Like" feature, we now think the malware was spreading by posting directly to Facebook accounts. The posted link used the Like feature's icon rather than icons used by Links or Videos.

Here's what Facebook search revealed a couple of hours ago:

And this is an example from a user's Wall:

The "LOL, just found new tube site" link didn't reference any .php as the others.

Here you can see the same site, newtubes.in, was used on Sunday:

The subject was "Boobs Too Big For Seatbelt".

The bad guys attempted, and failed, to launch their attack during the Memorial Day holiday weekend, with big boobs.

As mentioned earlier today, the attack site was Geo-IP and OS aware, and focused only on USA/UK IP addresses. All others were safely redirect to youtube.com. It also employed anti-analysis evasion techniques, such as blocking IP address that visited too frequently. This was a highly professional attack using well developed techniques.

There's a significant Facebook malware attack occurring at the moment.

The attack is spreading virally using Facebook's "Like" feature — a method well established by rogue Cost Per Action (CPA) marketing affiliates. But unlike CPA spam that redirects to deceptive ads, this "viral video" is linking to a Lithuanian server that serves up Windows and/or Mac malware.

This is the first time we've seen malware using "viral links". (Stuff such as Koobface uses phishing and compromised accounts.)

When testing the link from Germany, Finland, France, India and Malaysia, we were safely redirected to youtube.com. Testing from the USA and UK offered up Mac scareware or Windows malware depending on our browser user agent IDs.

The attack is GEO-IP as well as OS aware.

And though this attack started more 16 hours ago, Facebook does not yet block links to newtubes.in even though the subject text and the root domain has remained unchanged during that time. This could be due to the fact the attack is utilizing Facebook "Likes" rather than posting links to user's Walls which can be more easily filtered by Facebook's security team.

Or perhaps they're still catching up on their post-Memorial Day holiday e-mail…

At 19:12 GMT the domain used switched from newtubes.in to shockings.in.

Correction to above: The malware is using the Facebook "Likes" thumbs-up icon, but appears to be spreading via another method. Additional analysis suggests that the malware itself may be injecting a post into the victim's Facebook session.

Try as we might, our test account was not compromised by the attack server's webpage. We are now speculating that the Windows malware is a Koobface like worm with ZeuS like webinject capabilities. Our analysis continues.

We recently did an analysis on a trojan, AdSMS, that's been spreading for the last week or so and thought it might make an interesting contrast to the rash of trojanized Android apps that we've been seeing lately.

AdSMS is distributed via a malicious link in a spammed SMS message. The malware appears to be targeted to Android users in mainland China, as the SMS is faked up to look like it's from a major Chinese telecom network and the download link deliberately spoofs a domain name associated with the network.

AdSMS is promoted as an "update for a security vulnerability". Sounds like a throwback to the old Symbian trojans (e.g. Merogo and MapUp), which used this exact same distribution and social engineering strategy.

If the user clicks the link, the malware is downloaded. These are the permissions the trojan requests:

An update that needs to send SMS messages? Hopefully an alert user would notice that and suspect something's amiss.

Once installed, AdSMS doesn't add an icon for itself on the application menu; it just runs silently in the background. Users need to check the Setttings > Applications > Manage Applications menu to see if it's present, under the name "andiord.system.providers":

Again, an old trick, though in this case previously seen in mobile espionage suites such as Phone Creeper and Flexispy. Incidentally, once on the Manage Applications menu, users can uninstall the trojan as per a normal application.

Once installed, the trojan steals phone details, connects to a remote site to download more files. It also has the capacity to read, write and send SMS messages, much like the preceding Trojan:AndroidOS/Fakeplayer.A.

So there's nothing new about this trojan's tricks per se, but it's one of the first we've seen on the Android platform to try some of them.